MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508
SHA3-384 hash:	4eabd7c2fa1c5313b1ed169b95c8519e9c68e414f58b617c5b2444b298e08d833522fb5760b7a387f0c38a0b4f8c0a05
SHA1 hash:	5882923b52eb372a2c07f72f1591db06a4297370
MD5 hash:	24000066fd0a67fdd2283e9cd993087f
humanhash:	table-zulu-california-stairway
File name:	24000066fd0a67fdd2283e9cd993087f.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'311'424 bytes
First seen:	2020-12-09 10:26:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c7f986b767e22dea5696886cb4d7da70 (5 x ModiLoader, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	24576:FiLDfJXRq+fowpGG7By3Z72mwe8gKmX9hIbEIKn:FiLr5By3Z7NagKAj
Threatray	354 similar samples on MalwareBazaar
TLSH	A455D02371A28436C111A9BD9E0780BE3F75FD767958F50E7BE0AD0C8E36A80E9191D7
Reporter	abuse_ch
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

24000066fd0a67fdd2283e9cd993087f.exe

Verdict:

No threats detected

Analysis date:

2020-12-09 10:32:57 UTC

Tags:

installer

Link:

https://app.any.run/tasks/a5083a34-b741-4907-bac7-948d8e022537

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107417/

Detection(s):

SecuriteInfo.com.Fareit-FZO95D22A767079.17814.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/558844

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-12-08 23:07:19 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g5r642fr6hylv2vtcanbr4ceadwjcnvwgdy6ts4sbcmhk5dnwuea._file

Verdict:

malicious

ModiLoader

23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787

ModiLoader

29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4

ModiLoader

3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f

ModiLoader

49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab

ModiLoader

4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b

ModiLoader

4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6

ModiLoader

a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3

ModiLoader

bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86

ModiLoader

fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87

ModiLoader

+ 344 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:agenttesla family:modiloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201209-byklk941w2/

Behaviour

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

ModiLoader First Stage

AgentTesla

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508

MD5 hash:

24000066fd0a67fdd2283e9cd993087f

SHA1 hash:

5882923b52eb372a2c07f72f1591db06a4297370

Link:

https://www.unpac.me/results/a0d7ef3a-3331-4b4a-a293-7ad3a0048620/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

exe 3763ee68b1f1f0baeab3101a18f04400ec9136b630f1e9cb92089875746db508

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/900642/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/107417/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample